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This  paper  shows  how  to  harness  existing  theorem  provers  for  first-order  logic  to 
automatically  verify  safety  properties  of  imperative  programs  that  perform  dynamic 
storage  allocation  and  destructive  updating  of  pointer-valued  structure  fields.  One  of 
the  main  obstacles  is  specifying  and  proving  the  (absence)  of  reachability  properties 
among  dynamically  allocated  cells. 

The  main  technical  contributions  are  methods  for  simulating  reachability  in  a  con¬ 
servative  way  using  first-order  formulas — the  formulas  describe  a  superset  of  the  set  of 
program  states  that  can  actually  arise.  These  methods  are  employed  for  semi-automatic 
program  verification  (i.e.,  using  programmer-supplied  loop  invariants)  on  programs 
such  as  mark-and-sweep  garbage  collection  and  destructive  reversal  of  a  singly  linked 
list.  (The  mark-and-sweep  example  has  been  previously  reported  as  being  beyond  the 
capabilities  of  ESC/Java.) 

1  Introduction 

This  paper  explores  how  to  harness  existing  theorem  provers  for  first-order  logic  to 
prove  reachability  properties  of  programs  that  manipulate  dynamically  allocated  data 
structures.  The  approach  that  we  use  involves  simulating  reachability  in  a  conserva¬ 
tive  way  using  first-order  formulas — i.e.,  the  formulas  describe  a  superset  of  the  set  of 
program  states  that  can  actually  arise. 

Automatically  establishing  safety  and  liveness  properties  of  sequential  and  concur¬ 
rent  programs  that  permit  dynamic  storage  allocation  and  low-level  pointer  manipula¬ 
tions  is  challenging.  Dynamic  allocation  causes  the  state  space  to  be  infinite;  moreover, 
a  program  is  permitted  to  mutate  a  data  structure  by  destructively  updating  pointer¬ 
valued  fields  of  nodes.  These  features  remain  even  if  a  programming  language  has  good 
capabilities  for  data  abstraction.  Abstract-datatype  operations  are  implemented  using 
loops,  procedure  calls,  and  sequences  of  low-level  pointer  manipulations;  consequently, 
it  is  hard  to  prove  that  a  data-structure  invariant  is  reestablished  once  a  sequence  of  op¬ 
erations  is  finished  [1].  In  languages  such  as  Java,  concurrency  poses  yet  another  chal¬ 
lenge:  establishing  the  absence  of  deadlock  requires  establishing  the  absence  of  any 
cycle  of  threads  that  are  waiting  for  locks  held  by  other  threads. 

Reachability  is  crucial  for  reasoning  about  linked  data  structures.  For  instance,  to 
establish  that  a  memory  configuration  contains  no  garbage  elements,  we  must  show  that 
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every  element  is  reachable  from  some  program  variable.  Other  cases  where  reachability 
is  a  useful  notion  include 

-  Specifying  acyclicity  of  data-structure  fragments,  i.e.,  every  element  reachable  from 
node  n  cannot  reach  n 

-  Specifying  the  effect  of  procedure  calls  when  references  are  passed  as  arguments: 
only  elements  that  are  reachable  from  a  formal  parameter  can  be  modified 

-  Specifying  the  absence  of  deadlocks 

-  Specifying  safety  conditions  that  allow  establishing  that  a  data-structure  traversal 
terminates,  e.g.,  there  is  a  path  from  a  node  to  a  sink-node  of  the  data  structure. 

The  verification  of  such  properties  presents  a  challenge.  Even  simple  decidable  frag¬ 
ments  of  first-order  logic  become  undecidable  when  reachability  is  added  [2, 3].  More¬ 
over,  the  utility  of  monadic  second-order  logic  on  trees  is  rather  limited  because  (i)  many 
programs  allow  non-tree  data  structures,  (ii)  expressing  postconditions  of  procedures 
(which  is  essential  for  modular  reasoning)  requires  referring  to  the  pre-state  that  holds 
before  the  procedure  executes,  and  thus  cannot,  in  general,  be  expressed  in  monadic 
second-order  logic  on  trees — even  for  procedures  that  manipulate  only  singly-linked 
lists,  such  as  the  in-situ  list-reversal  program  shown  in  Fig.  1  ,  and  (iii)  the  complexity 
is  prohibitive. 

While  our  work  was  actually  motivated  by  our  experience  using  abstract  interpreta¬ 
tion  -  and,  in  particular,  the  TVLA  system  [4-6]  -  to  establish  properties  of  programs 
that  manipulate  heap-allocated  data  structures,  in  this  paper,  we  consider  the  problem 
of  verifying  data-structure  operations,  assuming  that  we  have  user-supplied  loop  invari¬ 
ants.  This  is  similar  to  the  approach  taken  in  systems  like  ESC/Java  [7],  and  Pale  [8]. 
The  contributions  of  the  paper  can  be  summarized  as  follows: 

Handling  FO(TC)  formulas  using  FO  theorem  provers.  We  want  to  use  first- 
order  theorem  provers  and  we  need  to  discuss  the  transitive  closure  of  certain  binary 
predicates,  /.  However,  first-order  theorem  provers  cannot  handle  transitive  closure.  We 
solve  this  conundrum  by  adding  a  new  relation  symbol  ftc  for  each  such  /,  together  with 
first-order  axioms  that  assure  that  /tc  is  interpreted  correctly.  The  theoretical  details  of 
how  this  is  done  are  presented  in  Sections  3  and  4.  The  fact  that  we  are  able  to  handle 
transitive  closure  effectively  and  reasonably  automatically  is  a  major  contribution  and 
quite  surprising. 

As  explained  in  Section  3,  the  axioms  that  we  add  to  control  the  behavior  of  the 
added  predicates,  /tc,  must  be  sound  but  not  necessarily  complete.  One  way  to  think 
about  this  is  that  we  are  simulating  a  formula,  x,  in  which  transitive  closure  occurs,  with 
a  pure  first-order  formula  x'-  If  our  axioms  are  not  complete  then  we  are  allowing  x'  to 
denote  more  stores  than  x  does.  This  is  motivated  by  the  fact  that  abstraction  can  be  an 
aid  in  the  verification  of  many  properties;  that  is,  a  definite  answer  can  sometimes  be 
obtained  even  when  information  has  been  lost  (in  a  conservative  manner).  This  means 
that  our  methods  are  sound  but  potentially  incomplete. 

If  x'  is  proven  valid  in  FO  then  x  is  also  valid  in  FO(TC);  however,  if  we  fail  to 
prove  that  x'  is  valid,  it  is  still  possible  that  x  is  valid:  the  failure  would  be  due  to  the 
incompleteness  of  the  axioms,  or  the  lack  of  time  or  space  for  the  theorem  prover  to 
complete  the  proof. 

It  is  easy  to  write  a  sound  axiom,  7i[/],  that  is  “complete”  in  the  very  limited 
sense  that  every  finite,  acyclic  model  satisfying  Ti  [/]  must  interpret  ftc  as  the  reflexive, 
transitive  closure  of  its  interpretation  of  /.  However,  in  practice  this  is  not  worth  much 
because,  as  is  well-known,  finiteness  is  not  expressible  in  first-order  logic.  Thus,  the 


properties  that  we  want  to  prove  do  not  follow  from  Ti  [/] .  We  do  prove  that  Ti  [/]  is 
complete  for  positive  transitive-closure  properties.  The  real  difficulties  lie  in  proving 
properties  involving  the  negation  of  TC[/]. 

Induction  axiom  scheme.  To  solve  the  above  problem,  we  add  an  induction  axiom 
scheme.  Although  in  general,  there  is  no  complete,  recursively-enumerable  axioma- 
tization  of  transitive  closure,  we  have  found  that  on  the  examples  we  have  tried,  Ti 
plus  induction  allows  us  to  automatically  prove  all  of  our  desired  properties.  We  think 
of  the  axioms  that  we  use  as  aides  for  the  first-order  theorem  prover  that  we  employ 
(Spass  [9])  to  prove  the  properties  in  question.  Rather  than  giving  Spass  many  in¬ 
stances  of  the  induction  scheme,  our  experience  is  that  it  finds  the  proof  faster  if  we 
give  it  several  axioms  that  are  simpler  to  use  than  induction.  As  already  mentioned,  the 
hard  part  is  to  show  that  certain  paths  do  not  exist. 

Coloring  axiom  schemes.  In  particular,  we  use  three  axiom  schemes,  having  to  do 
with  partitioning  memory  into  a  small  set  of  colors.  We  call  instances  of  these  schemes 
“coloring  axioms”.  Our  coloring  axioms  are  simple,  and  are  easily  proved  using  Spass 
(in  under  ten  seconds)  from  the  induction  axioms.  For  example,  the  first  coloring 
axiom  scheme,  NoExit[A,  /],  says  that  if  no  /-edges  leave  color  class.  A,  then  no  /- 
paths  leave  A.  It  turns  out  that  the  NoExit  axiom  scheme  implies  -  and  thus  is  equivalent 
to  -  the  induction  scheme.  However,  we  have  found  in  practice  that  explicitly  adding 
other  coloring  axioms  (which  are  consequences  of  NoExit)  enables  Spass  to  prove 
properties  that  it  otherwise  fails  at. 

We  first  assume  that  the  programmer  provides  the  colors  by  means  of  first-order  for¬ 
mulas  with  transitive  closure.  Our  initial  experience  indicates  that  the  generated  color¬ 
ing  axioms  are  useful  to  Spass.  In  particular,  it  provides  the  ability  to  verify  programs 
like  the  mark  phase  of  a  mark-and-sweep  garbage  collector.  This  example  has  been 
previously  reported  as  being  beyond  the  capabilities  of  ESC/Java.  TVLA  also  succeeds 
on  this  example;  however  our  new  approach  provides  verification  methods  that  can  in 
some  instances  be  more  precise  than  TVLA. 

Prototype  implementation.  Perhaps  most  exciting,  we  have  implemented  the  heuris¬ 
tics  for  selecting  colors  and  their  corresponding  axioms  in  a  prototype  using  Spass. 
We  have  used  this  to  automatically  choose  useful  color  axioms  and  then  verify  several 
small  heap-manipulating  programs.  More  work  needs  to  be  done  here,  but  the  initial 
results  are  very  encouraging. 

Strengthening  Nelson’s  results.  Greg  Nelson  considered  a  set  of  axiom  schemes 
for  reasoning  about  reachability  in  function  graphs,  i.e.,  graphs  in  which  there  is  at 
most  one  /-edge  leaving  any  node  [10].  He  left  open  the  question  of  whether  his  axiom 
schemes  were  complete  for  function  graphs.  We  show  that  Nelson’s  axioms  are  prov¬ 
able  from  Ti  plus  our  induction  axioms.  We  also  show  that  Nelson’s  axioms  are  not 
complete:  in  fact,  they  do  not  imply  NoExit. 

Outline.  The  remainder  of  the  paper  is  organized  as  follows:  Section  2  explains  our 
notation  and  the  setting;  Section  3  introduces  the  induction  axiom  scheme  and  fills  in 
our  formal  framework;  Section  4  states  the  coloring  axiom  schemes;  Section  5  explains 
the  details  of  our  heuristics;  Section  6  describes  some  related  work;  Section  7  describes 
some  future  directions. 

2  Preliminaries 

This  section  defines  the  basic  notations  used  in  this  paper  and  the  setting. 


2.1  Notation 

Syntax:  A  relational  vocabulary  r  =  {pi,p2,  ■  ■  ■  ,Pk}  is  a  set  of  relation  symbols, 
each  of  fixed  arity.  We  write  first-order  formulas  over  r  with  quantifiers  V  and  3, 
logical  connectives  A,  V,  and  where  atomic  formulas  include:  equality, 

Pi{vi,V2,  ■  ■  -Vat),  and  TC[/](wi, V2),  where  pi  G  t  is  of  arity  at  and  /  G  r  is  bi¬ 
nary.  Here  TC[/](ui,V2)  denotes  the  existence  of  a  finite  path  of  0  or  more  /  edges 
from  vi  to  V2.  A  formula  without  TC  is  called  a  first-order  formula. 

We  use  the  following  precedence  of  logical  operators:  ^  has  highest  precedence, 
followed  by  A  and  V,  followed  by  ^  and  and  V  and  3  have  lowest  precedence. 

Semantics:  A  model.  A,  of  vocabulary  t,  consists  of  a  non-empty  universe,  |Al|, 
and  a  relation  p-^  over  the  universe  interpreting  each  relation  symbol  p  €  t.  We  write 
A\=  pXo  mean  that  the  formula  tp  is  true  in  the  model  A. 

2.2  Setting 

We  are  primarily  interested  in  formulas  that  arise  while  proving  the  correctness  of  pro¬ 
grams.  We  assume  that  the  programmer  specifies  pre  and  post-conditions  for  procedures 
and  loop  invariants  using  first-order  formulas  with  transitive  closure  on  binary  relations. 
The  transformer  for  a  loop  body  can  be  produced  automatically  from  the  program  code. 

For  instance,  to  establish  the  partial  correctness  with  respect  to  a  user-supplied  spec¬ 
ification  of  a  program  that  contains  a  single  loop,  we  need  to  establish  three  properties: 
First,  the  loop  invariant  must  hold  at  the  beginning  of  the  first  iteration;  i.e.,  we  must 
show  that  the  loop  invariant  follows  from  the  precondition  and  the  code  leading  to  the 
loop.  Second,  the  loop  invariant  provided  by  the  user  must  be  maintained;  i.e.,  we  must 
show  that  if  the  loop  invariant  holds  at  the  beginning  of  an  iteration  and  the  loop  con¬ 
dition  also  holds,  the  transformer  causes  the  loop  invariant  to  hold  at  the  end  of  the 
iteration.  Finally,  the  postcondition  must  follow  from  the  loop  invariant  and  the  condi¬ 
tion  for  exiting  the  loop. 

In  general,  these  formulas  are  of  the  form 

iPi[t]  a  T[t,t']  1p2[T'] 

where  t  is  the  vocabulary  of  the  before  state,  r'  is  the  vocabulary  of  the  after  state,  and 
T  is  the  transformer,  which  may  use  both  the  before  and  after  predicates  to  describe 
the  meaning  of  the  module  to  be  executed.  If  symbol  /  denotes  the  value  of  a  predicate 
before  the  operation  then  /'  denotes  the  value  of  the  same  predicate  after  the  operation. 

An  interesting  special  case  is  the  proof  of  the  maintenance  formula  of  a  loop  invari¬ 
ant.  This  has  the  form: 

LC[t]  a  LI[t]  a  T[t,  t']  LI[t'] 

Here  LC  is  the  condition  for  entering  the  loop  and  LI  is  the  loop  invariant.  LI[t'] 
indicates  that  the  loop  invariant  remains  true  after  the  body  of  the  loop  is  executed. 

The  challenge  is  that  the  formulas  of  interest  contain  transitive  closure;  thus,  the 
validity  of  these  formulas  cannot  be  directly  proven  using  a  theorem  prover  for  first- 
order  logic. 

3  Axiomatization  of  Transitive  Closure 

The  original  formula  that  we  want  to  prove,  x,  contains  transitive  closure,  which  first- 
order  theorem  provers  cannot  handle.  To  address  this  problem,  we  replace  x  by  the 
new  formula,  x^  where  all  appearances  of  TC[/]  have  been  replaced  by  the  new  binary 
relation  symbol,  /tc. 


We  show  in  this  paper  that  from  we  can  often  automatically  generate  an  appro¬ 
priate  first-order  axiom,  cr,  with  the  following  two  properties: 

1.  if  CT  is  valid  in  FO  then  x  is  valid  in  FO(TC). 

2.  A  theorem  prover  successfully  proves  that  cr  ^  X^  is  valid  in  FO. 

We  now  explain  the  theory  behind  this  process.  A  TC  model,  A,  is  a  model  such 
that  if  /  and  /tc  are  in  the  vocabulary  of  A,  then  (/tc)"^  =  i-C-^  A  interprets  ftc 

as  the  reflexive,  transitive  closure  of  its  interpretation  of  /. 

A  first-order  formula  ip  is  TC  valid  iff  it  is  true  in  all  TC  models.  We  say  that  an 
axiomatization,  27,  is  TC  sound  if  every  formula  that  follows  from  27  is  TC  valid.  Since 
first-order  reasoning  is  sound,  27  is  TC  sound  iff  every  cr  G  27  is  TC  valid. 

We  say  that  27  is  TC  complete  if  for  every  TC-valid  ip,  S  \=  ip.\i  S  is  TC  complete 
and  TC  sound,  then  for  all  first-order  ip, 

S  \=  p  (p  is  TC  valid 

Thus  a  TC-complete  set  of  axioms  proves  exactly  the  first-order  formulas,  x^  such 
that  the  corresponding  FO(TC)  formula,  x^  is  valid. 

All  the  axiomatizations  that  we  consider  are  TC  sound.  There  is  no  recursively 
enumerable  TC-complete  axiom  system  (see  [11, 12]). 

3.1  Some  TC-Sound  Axioms 

We  begin  with  our  first  TC  axiom  scheme.  For  any  binary  relation  symbol,  /,  let, 

Ti[f]  =  \/u,v  .  ftc{u,v)  ^  {u  =  v)y  3w  .  f{u,w)  A  ftc{w,v) 

We  first  observe  that  Ti  [/]  is  “complete”  in  a  very  limited  way  for  finite,  acyclic 
graphs,  i.e.,  ri[/]  exactly  characterizes  the  meaning  of  /tc  for  all  finite,  acyclic  graphs. 
The  reason  this  is  limited,  is  that  it  does  not  give  us  a  complete  set  of  first-order  axioms 
because,  as  is  well  known,  there  is  no  first-order  axiomatization  of  “finite”. 

Proposition  1.  Any  finite  and  acyclic  model  ofTi[f]  is  a  TC  model. 

Proof:  Let  .4  |=  Ti  [/]  where  A  is  finite  and  acyclic.  Let  Oq,  6  G  |.4|.  Assume  there  is 
an  /-path  from  qq  to  b.  Since  A  |=  Ti[f],  it  is  easy  to  see  that  A  |=  /tc(ao,  b). 

Conversely,  suppose  that  A  ^  /tc(ao)  b).  If  oq  =  b,  then  there  is  a  path  of  length  0 
from  Qq  to  b.  Otherwise,  by  Ti  [/],  there  exists  an  oi  G  |.4|  such  that  A  \=  /(oq,  Oi)  A 
/tc(ai,  b).  Note  that  oi  7^  qq  since  A  is  acyclic.  If  oi  =  5  then  there  is  an  /-path  of 
length  1  from  a  to  b.  Otherwise  there  must  exist  an  02  G  |Al|  such  that  A  ^  /(ui,  0,2)  A 
/tc(a2,  b)  and  so  on,  generating  a  set  {oi,  02, . . .}.  None  of  the  Oi  can  be  equal  to  Oj, 
for  j  <  i,  by  acyclicity.  Thus,  by  finiteness,  some  Ui  =  b.  Hence  .4  is  a  TC  model.  □ 

Let  T[  [/]  be  the  ^  direction  of  Ti  [/] : 

T{[f]  =  yu,v  .  ftc{u,v)  ^  {u  =  v)V  3w  .  f{u,w)  A  ftc{w,v) 

Proposition  2.  Let  /tc  occur  only  positively  in  p.  If  p  is  TC  valid,  then  T[[f]  ^  p. 

Proof:  Suppose  that  T{[f]  p.  Let  A  |=  T{[f]  A  -^p.  Note  that  ftc  occurs  only 
negatively  in  ^p.  Furthermore,  since  A\=T[  [/],  it  is  easy  to  show  by  induction  on  the 
length  of  the  path,  that  if  there  is  an  /-path  from  a  to  6  in  A,  then  A  |=  /tc(a,  b).  Define 
A'  to  be  the  model  formed  from  A  by  interpreting  ftc  in  A'  as  (Z"^)*.  Thus  A'  is  a  TC 
model  and  it  only  differs  from  A  by  the  fact  that  we  have  removed  zero  or  more  pairs 


from  (/tc)"^  to  form  (/tc)"^  ■  Because  A  ^  ^(p  and  ftc  occurs  only  negatively  in  ^(p, 
it  follows  that  A'  ^  which  contradicts  the  assumption  that  ip  is  TC  valid.  □ 

Proposition  2  shows  that  proving  positive  facts  of  the  form  ftc{u,  v)  is  easy;  it  is  the 
task  of  proving  that  paths  do  not  exist  that  is  more  subtle. 

Proposition  1  shows  that  what  we  are  missing,  at  least  in  the  acyclic  case,  is  that 
there  is  no  first-order  axiomatization  of  finiteness.  Traditionally,  when  reasoning  about 
the  natural  numbers,  this  problem  is  mitigated  by  adding  induction  axioms.  We  next 
introduce  an  induction  scheme  that,  together  with  Ti,  seems  to  be  sufficient  to  prove 
any  property  we  need  concerning  TC. 

Notation:  In  general,  we  will  use  F  to  denote  the  set  of  all  binary  relation  symbols, 
/,  such  that  TC[/]  occurs  in  a  formula  we  are  considering.  If  p[f]  is  a  formula  in 
which  /  occurs,  let  p[F]  =  ^  P’if)-  Thus,  for  example,  Ti[F]  is  the  conjunction  of 

feF 

the  axiom  Ti  [f]  for  all  binary  relation  symbols,  /,  under  consideration. 

Definition  1.  For  any  first-order  formulas  Z(u),  P{u),  and  binary  relation  symbol,  f, 
let  the  induction  principle,  IND[Z,  P,  /],  be  the  following  first-order  formula: 

(Vz  .  Z{z)  P{z))  A  (Vu,  V  .  P{u)  A  f{u,  v)  P{v)) 

^\/u,z.  Z{z)  A  /tc(z,  u)  P{u) 

The  induction  principle  says  that  if  every  zero  point  satisfies  P,  and  P  is  preserved 
when  following  edges,  then  every  point  reachable  from  a  zero  point  satisfies  P.  Obvi¬ 
ously  this  principle  is  sound. 

As  an  easy  application  of  the  induction  principle,  consider  the  following  cousin  of 

Ti[fl 

T2[f]  =  yu,v  .  ftc{u,v)  ^  {u  =  v)\/ 3w  .  ftc{u,w)  A  f{w,v) 

It  is  easy  to  see  that  neither  of  Ti[f],  T2[f]  implies  the  other.  However,  in  the  pres¬ 
ence  of  the  induction  principle  they  do  imply  each  other.  For  example,  it  is  easy  to 
prove  T2[f]  from  Ti[f]  using  lND[Z,P,f]  where  Z{v)  =  v  =  u  and  P{v)  =  u  = 
V  V  Bw  .  /tc(u,  w)  A  f{w,  v).  Here,  for  each  u  we  use  IND[Z,  P,  f]  to  prove  by  induc¬ 
tion  that  every  v  reachable  from  u  satisfies  the  right-hand  side  of  T2  [/]. 

A  related  axiom  scheme  that  we  have  found  useful  is  the  transitivity  of  reachability: 
Trans[/]  =  Vm,  v,  w  .  fidu,  w)  A  ftc{w,  v)  ftc{u,  v) 

4  Coloring  Axioms 

We  next  describe  three  TC-sound  axioms  schemes  that  are  not  implied  by  Ti[F]  Ar2[^’], 
and  are  provable  from  the  induction  principle  of  Section  3.  We  will  see  in  the  sequel 
that  these  coloring  axioms  are  very  useful  in  proving  that  paths  do  not  exist,  permitting 
us  to  verify  a  variety  of  algorithms.  In  Section  5,  we  will  present  some  heuristics  for 
automatically  choosing  particular  instances  of  the  coloring  axiom  schemes  that  enable 
us  to  prove  our  goal  formulas. 

The  first  coloring  axiom  scheme  is  the  NoExit  axiom  scheme: 

{yUjV .  A{u)  A  ^A{v)  ^  ^f{u,v))  yUjV .  A{u)  A  ^A{v)  ^  ^ftc{u,v)  (1) 

for  any  first-order  formula  A{u),  and  binary  relation  symbol,  /,  NoExit[A,  /]  says  that 
if  no  /-edge  leaves  color  class  A,  then  no  /-path  leaves  color  class  A. 


Observe  that  although  it  is  very  simple,  NoExit[A,  /]  does  not  follow  from  Ti  [/]  A 
T2[f].  Let  Gi  =  {V,  f,  ftc,  A)  consist  of  two  disjoint  cycles:  V  =  {1,2, 3, 4},  /  = 
1(1, 2),  (2, 1),  (3, 4),  (4, 3)},  and  A  =  {1,  2}.  Let  ftc  have  all  16  possible  edges.  Thus 
Gi  satisfies  Ti  [/]  AT2  [/]  but  violates  NoExit[A,  /] .  Even  for  acyclic  models,  NoExit[A,  /] 
does  not  follow  from  Ti  [f]  A  T2  [f]  because  there  are  infinite  models  in  which  the  im¬ 
plication  does  not  hold  (see  [12]). 

NoExit[A,  /]  follows  easily  from  the  induction  principle:  if  no  edges  leave  A,  then 
induction  tells  us  that  everything  reachable  from  a  point  in  A  satisfies  A.  Similarly, 
NoExit]^,  /]  implies  the  induction  axiom,  IND[Z,  A,  /],  for  any  formula  Z. 

The  second  coloring  axiom  scheme  is  the  GoOut  axiom:  for  any  first-order  formulas 
A{u),  B{u),  and  binary  relation  symbol,  /,  GoOut[A,  B,  f]  says  that  if  the  only  edges 
leaving  color  class  A  are  to  B,  then  any  path  from  a  point  in  A  to  a  point  not  in  A  must 
pass  through  B. 

(Vtt,  V  .  A{u)  A  ^A{v)  A  f{u,  v)  B{v)) 

Vm,  V  .  A{u)  A  -^A{v)  A  ftc{u,  v)  ^3h.  B{b)  A  ftc{u,  b)  A  ftc{b,  v) 

To  see  that  GoOut[2l,  B,  f]  follows  from  the  induction  principle,  assume  that  the 
only  edges  out  of  A  enter  B.  For  any  fixed  u  in  A,  we  prove  by  induction  that  any  point 
V  reachable  from  u  is  either  in  A  or  has  a  predecessor,  b  in  B,  that  is  reachable  from  u. 

The  third  coloring  axiom  scheme  is  the  NewStart  axiom,  which  is  useful  in  the 
context  of  dynamically  changing  graphs:  for  any  first-order  formula  A{u),  and  binary 
relation  symbols  /  and  g,  think  of  /  as  the  previous  edge  relation  and  g  as  the  current 
edge  relation.  NewStart[A,  /,  g]  says  that  if  there  are  no  new  edges  between  A  nodes, 
then  any  new  path  from  A  must  leave  A  to  make  its  change: 

(Vm,  V  .  A{u)  A  A{v)  A  g{u,  v)  f{u,  v)) 

Vm,  V  .  gtciu,  v)  A  -'/tc(M,  u)  ^  35 .  ^A{b)  A  gtc{u,  b)  A  gtc{b,  v) 

NewStart]^,  /,  g]  follows  from  the  induction  principle  by  a  proof  that  is  similar  to 
the  proof  of  GoOut  [^,  B,  /] 

We  remark  that  the  spirit  behind  our  consideration  of  the  coloring  axioms  is  similar 
to  that  found  in  a  paper  of  Greg  Nelson’s  in  which  he  introduced  a  set  of  reachability 
axioms  for  a  functional  predicate,  /,  i.e.,  there  is  at  most  one  /  edge  leaving  any  point 
[10].  Nelson  asked  whether  his  axiom  schemes  are  complete  for  the  functional  setting. 
We  remark  that  Nelson’s  axiom  schemes  are  provable  from  Ti  plus  our  induction  prin¬ 
ciple.  However,  Nelson’s  axiom  schemes  are  not  complete:  we  constructed  a  functional 
graph  satisfying  Nelson’s  axioms  but  violating  NoExit[A,  /],  (see  [12]). 

At  least  one  of  Nelson’s  axiom  schemes  does  seem  orthogonal  to  our  coloring  ax¬ 
ioms  and  may  be  useful  in  certain  proofs.  Nelson’s  fifth  axiom  scheme  states  that  the 
points  reachable  from  a  given  point  are  linearly  ordered.  The  soundness  of  the  axiom 
scheme  is  due  to  the  fact  that  /  is  functional.  We  make  use  of  a  simplified  version  of 
Nelson’s  ordering  axiom  scheme:  Let  Func[/]  =  Vu,  v,  w  .  f{u,  v)Af{u,  w)  ^  v  =  w, 
then. 


Order[/]  =  Func[f]  ^  yu,v,w .  ftc{u,v)  A  ftc{u,w)  ftc{v,w)  V  ftc{w,v) 


5  Heuristics  for  Using  the  Coloring  Axioms 

This  section  presents  heuristics  for  using  the  coloring  axioms.  Toward  that  end,  it  an¬ 
swers  the  following  questions: 

-  How  can  the  coloring  axioms  be  used  by  a  theorem  prover  to  prove  x? 

-  When  should  a  specific  instance  of  a  coloring  axiom  be  given  to  the  theorem  prover 
while  trying  to  prove  x? 

-  What  part  of  the  process  can  be  automated? 

We  first  present  a  running  example  that  will  be  used  in  later  sections  to  illustrate  the 
heuristics.  We  then  explain  how  the  coloring  axioms  are  useful,  describe  the  search 
space  for  useful  axioms,  give  an  algorithm  for  exploring  this  space,  and  conclude  by 
discussing  a  prototype  implementation  we  have  developed  that  proves  the  example  pre¬ 
sented  and  others. 

5.1  Reverse  Specification 

The  heuristics  described  in  Sections  5. 2-5.4  are  illustrated  on  problems  that  arise  in  the 
verification  of  partial  correctness  of  a  list  reversal  procedure.  Other  examples  proven 
using  this  technique  can  be  found  in  the  full  version  of  this  paper  [12]. 

The  procedure  reverse,  shown  in  Fig.  1,  performs  in-place  reversal  of  a  singly  linked 
list,  destructively  updating  the  list.  The  precondition  requires  that  the  input  list  be 
acyclic  and  unshared.  For  simplicity,  we  assume  that  there  is  no  garbage.  The  post¬ 
condition  ensures  that  the  resulting  list  is  acyclic  and  unshared.  Also,  it  ensures  that  the 
nodes  reachable  from  the  formal  parameter  on  entry  to  reverse  are  exactly  the  nodes 
reachable  from  the  return  value  of  reverse  at  the  exit.  Most  importantly,  it  ensures  that 
each  edge  in  the  original  list  is  reversed  in  the  returned  list. 

The  specification  for  reverse  is  shown  in 
Fig.  2.  We  use  unary  predicates  to  represent 
program  variables  and  binary  predicates  to 
represent  data-structure  fields.  Fig.  2(a)  de¬ 
fines  some  shorthands.  To  specify  that  a  unary 
predicate  2  can  point  to  a  single  node  at  a  time 
and  that  a  binary  predicate  /  of  a  node  can 
point  to  at  most  one  node  (a  partial  function), 
we  use  unique[z]  and  func[f]  .  To  specify 
that  there  are  no  cycles  of  /-fields  in  the  graph, 
we  use  acyclic[f].  To  specify  that  the  graph 
does  not  contain  nodes  shared  by  /-fields,  (i.e., 
nodes  with  2  or  more  incoming  /-fields),  we 
use  unshared[f].  To  specify  that  all  nodes  in 
the  graph  are  reachable  from  zi  or  Z2  by  fol¬ 
lowing  /-fields,  we  use  total[zi,  Z2,  f]-  Another  helpful  shorthand  is  r^jiv)  which 
specifies  that  v  is  reachable  from  the  node  pointed  to  by  x  using  /-edges. 

The  precondition  of  the  reverse  procedure  is  shown  in  Fig.  2(b).  We  use  the  predi¬ 
cates  xe  and  ne  to  record  the  values  of  the  variable  x  and  the  next  field  at  the  beginning 
of  the  procedure.  The  precondition  requires  that  the  list  pointed  to  by  x  be  acyclic  and 
unshared.  It  also  requires  that  unique[z]  and  func[f]  hold  for  all  unary  predicates  2; 
that  represent  program  variables  and  all  binary  predicates  /  that  represent  fields,  respec¬ 
tively.  For  simplicity,  we  assume  that  there  is  no  garbage,  i.e.,  all  nodes  are  reachable 
from  X. 


Node 

reverse (Node  x){ 

[0] 

Node  y  =  null; 

[1] 

while  (x  !=  null){ 

[2] 

Node  t  =  x.next; 

[3] 

x.next  =  y; 

[4] 

y  =  x; 

[5] 

X  =  t  ; 

[6] 

} 

[7] 

} 

return  y; 

Fig.l. 

A  simple  Java-like  implemen- 

tation  of  the  in-place  reversal  of  a 
singly-linked  list. 


The  post-condition  is  shown  in  Fig.  2(c).  It  ensures  that  the  resulting  list  is  acyclic 
and  unshared.  Also,  it  ensures  that  the  nodes  reachable  from  the  formal  parameter  x  on 
entry  to  the  procedure  are  exactly  the  nodes  reachable  from  the  return  value  y  at  the 
exit.  Most  importantly,  we  wish  to  show  that  each  edge  in  the  original  list  is  reversed  in 
the  returned  list  (see  Eq.  (11)). 

A  loop  invariant  is  given  in  Fig.  2(d).  It  describes  the  state  of  the  program  at  the 
beginning  of  each  loop  iteration.  Every  node  is  in  one  of  two  disjoint  lists  pointed  by  x 
and  y  (Eq.  (12)).  The  lists  are  acyclic  and  unshared.  Every  edge  in  the  list  pointed  to  by 
X  is  exactly  an  edge  in  the  original  list  (Eq.  (14)).  Every  edge  in  the  list  pointed  to  by  y 
is  the  reverse  of  an  edge  in  the  original  list  (Eq.  (15)).  The  only  original  edge  going  out 
of  j/  is  to  x  (Eq.  (16)). 

The  transformer  is  given  in  Fig.  2(e),  using  the  primed  predicates  n' ,  x' ,  and  y'  to 
describe  the  values  of  predicates  n,  x,  and  y,  respectively,  at  the  end  of  the  iteration. 


unique[z]  =  'ivi,V2-z{vi)  A  z{v2)  ^  Vi  =  V2 

(4) 

func[f]  =  yvi,V2,  v.f{v,  wi)  A  f{v,  V2)  ^  vi  =  V2 

(5) 

(a) 

acyclic[f]  =  Vui,  V2.^/(wi,  V2)  V  ^TC[/](t;2,  ui) 

(6) 

unshared[f]  =  Vui,  V2,  v.f{vi,v)  A  f{v2,  v)  ^  vi  =  V2 

(7) 

total [zi ,Z2,f]  =  yv3w.{zi (w)  V  Z2 (w) )  A  TC [/]  (w,  v) 

(8) 

r^j{v)  =  3w.x(w)  ATC[/]('u;,t;) 

(9) 

(b) 

pre  =  total\xe,xe,ne\  A  acyclic\ne\  A  unshared\ne\  A  unique\xe\  A  func\ne] 

(10) 

(c) 

post  =  totally,  Vi  n]  A  acyclic\n]  A  unshared\n]  A  yvi,V2-ne{vi,V2)  n(v2,vi) 

(11) 

LIlx,y,n]  =  totallx,y,n]  A  V  A 

(12) 

acyclic[n]  A  unshared[n]  A  unique[x]  A  uniquely]  ^  funcln]  A 

(13) 

(d) 

yvi,V2.{ra;,„{vi)  {ne{vi,V2)  ^  n{vi,V2)))  A 

(14) 

yvi,V2.{ry^n{v)  A  ^y{vi)  {ne{vi,V2)  ^  n{v2,vi)))  A 

(15) 

yvi,V2,v.y(vi)  (x(v2)  ^  ne(vi,V2)) 

(16) 

(e) 

T  A  yv.{y'{v)  ^  x(v))  A  yv.(x'(v)  ^  3iu.x(iu)  A  n{w,v))  A 

yvi,V2.n(vi,V2)  ^  ((n(vi,V2)  A  ^x(vi))  V  (a;(vi)  A  yM)) 

(17) 

Fig.  2.  Example  specification  of  reverse  procedure:  (a)  shorthands,  (b)  precondition  pre, 
(c)  postcondition  post,  (d)  loop  invariant  LI[x,y,n],  (e)  transformer  T  (effect  of  the 
loop  body). 


5.2  Proving  Formulas  using  the  Coloring  Axioms 

All  the  coloring  axioms  have  the  form  A  =  Pa  Ca,  where  Pa  and  Ca  are  closed 
formulas.  We  call  Pa  the  axiom’s  premise  and  Ca  the  axiom’s  conclusion.  For  an  axiom 
to  be  useful,  the  theorem  prover  will  have  to  prove  the  premise  (as  a  subgoal)  and  then 
use  the  conclusion  in  the  proof  of  the  goal  formula  x-  For  each  of  the  coloring  axioms, 
we  now  explain  when  the  premise  can  be  proved,  how  its  conclusion  can  help,  and  give 
an  example. 

NoExit.  The  premise  TjiijoExit  /]  s'^ates  that  there  are  no  /-edges  exiting  color 
class  C.  When  C  is  a  unary  predicate  appearing  in  the  program,  the  premise  is  some- 


times  a  direct  result  of  the  loop  invariant.  Another  color  that  will  be  used  heavily 
throughout  this  section  is  reachability  from  a  unary  predicate,  i.e.,  unary  reachability, 
formally  defined  in  Eq.  (9).  Let’s  examine  two  cases.  /]  immediate 

from  the  definition  of  TxJ  and  the  transitivity  of  /tc.  f]  actually  states 

that  there  is  no  /  path  from  x  to  an  edge  for  which  /'  holds  but  /  doesn’t,  i.e.,  a  change 
in  /'  with  respect  to  /.  Thus,  we  use  the  absence  of  /-paths  to  prove  the  absence  of 
/'-paths.  In  many  cases,  the  change  is  an  important  part  of  the  loop  invariant,  and  paths 
from  and  to  it  are  part  of  the  specification. 

A  sketch  of  the  proof  by  refutation  of  arises  in  the  reverse 

example  is  given  in  Fig.  3.  The  numbers  in  brackets  are  the  stages  of  the  proof. 

1.  The  negation  of  the  premise  expands  to: 


3ui,U2,U3  .x'{ui)  A  ntc{ui,U2)  A  ^ntc('Ui,M3)  A  n'{u2,U3) 

2.  Since  U2  is  reachable  from  ui  and  us  is  not,  by  transitivity  of  rite,  we  have  ^n{u2,  u-a). 

3.  By  the  definition  of  n'  in  the  transformer,  the  only  edge  in  which  n  differs  from 
n'  is  out  of  X  (one  of  the  clauses  generated  from  Eq.  (17)  is  Vui,  U2  .  ~^n'{vi,V2)  V 
^n{vi,V2)  V  x{vi)) .  Thus,  x{u2)  holds. 

4.  By  the  definition  of  x'  it  has  an  incoming  n  edge  from  x.  Thus,  n{u2,  ui)  holds. 

The  list  pointed  to  by  x  must  be  acyclic,  whereas  we  have  a  cycle  between  ui  and  U2', 
i.e.,  we  have  a  contradiction.  Thus,  T^NoExitl^^'."’  hold. 


^NoExit  /]  states  there  are  no  /  paths  (/tc  edges)  exiting  C.  This  is  useful 
because  proving  the  absence  of  paths  is  the  difficult  part  of  proving  formulas  with  TC. 

GoOut.  The  premise  T^GoOutl^’  •^1  states  that  all  /  edges  going  out  of  color 
class  A,  go  to  B.  When  A  and  B  are  unary  predicates  that  appear  in  the  program,  again 
the  premise  sometimes  holds  as  a  direct  result  of  the  loop  invariant.  An  interesting  spe¬ 
cial  case  is  when  B  is  defined  as  .  ^(w)  A  /(w,  v).  In  this  case  the  premise  is  im¬ 
mediate.  Note  that  in  this  case  the  conclusion  is  provable  also  from  Ti.  However,  from 
experience,  the  axiom  is  very  useful  for  improving  performance  (2  orders  of  magnitude 
when  proving  the  acyclic  part  of  reverse’s  post  condition). 

CgoOuiI^’  /]  states  that  all  paths  out  of  A  must  pass  through  B.  Thus,  under 
the  premise  ^’GoOuft^’  know  that  there  is  a  path  from  A  to  somewhere 

outside  of  A,  we  know  that  there  is  a  path  to  there  from  B.  In  case  all  nodes  in  B  are 
reachable  from  all  nodes  in  A,  together  with  the  transitivity  of  /tc  this  means  that  the 
nodes  reachable  from  B  are  exactly  the  nodes  outside  of  A  that  are  reachable  from  A. 

For  example,  CgoOuI  W  ^  ]  allows  us  to  prove  that  only  the  original  list  pointed 
to  by  y  is  reachable  from  y'  (in  addition  to  y'  itself). 

NewStart.  The  premise  ^NewStart  '^hat  all  g  edges  between  nodes  in 

C  are  also  h  edges.  This  can  mean  the  iteration  has  not  added  edges  or  has  not  removed 


edges  according  to  the  selection  of  h  and  g.  In  some  cases,  the  premise  holds  as  a  direct 
result  of  the  definition  of  C  and  the  loop  invariant. 

^NewStarft^’  9’  means  that  every  g  path  that  is  not  an  h  path  must  pass  outside 
of  C.  Together  with  C']\oExit[^’  5]’  Proves  there  are  no  new  paths  within  C. 

For  example,  in  reverse  the  NewStart  scheme  can  be  used  as  follows.  No  outgoing 
edges  were  added  to  nodes  reachable  from  y.  There  are  no  n  or  n!  edges  from  nodes 
reachable  from  y  to  nodes  not  reachable  from  y.  Thus,  no  paths  were  added  between 
nodes  reachable  from  y.  Since  the  list  pointed  to  by  y  is  acyclic  before  the  loop  body, 
we  can  prove  that  it  is  acyclic  at  the  end  of  the  loop  body. 

We  can  see  that  NewStart  allows  the  theorem  prover  to  reason  about  paths  within 
a  color,  and  the  other  axioms  allow  the  theorem  prover  to  reason  about  paths  between 
colors.  Together,  given  enough  colors,  the  theorem  prover  can  often  prove  all  the  facts 
that  it  needs  about  paths  and  thus  prove  the  formula  of  interest. 

5.3  The  Search  Space  of  Possible  Axioms 

To  answer  the  question  of  when  we  should  use  a  specific  instance  of  a  coloring  ax¬ 
iom  when  attempting  to  prove  the  target  formula,  we  first  define  the  search  space  in 
which  we  are  looking  for  such  instances.  The  axioms  can  be  instantiated  with  the  colors 
defined  by  an  arbitrary  unary  formula  (one  free  variable)  and  one  or  two  binary  predi¬ 
cates.  First,  we  limit  ourselves  to  binary  predicates  for  which  TC  was  used  in  the  target 
formula.  Now,  since  it  is  infeasible  to  consider  all  arbitrary  unary  formulas,  we  start 
limiting  the  set  of  colors  we  consider. 

The  initial  set  of  colors  to  consider  are  unary  predicates  that  occur  in  the  formula 
we  want  to  prove.  Interestingly  enough,  these  colors  are  enough  to  prove  that  the  post¬ 
condition  of  mark  and  sweep  is  implied  by  the  loop  invariant,  because  the  only  axiom 
we  need  is  NoExit  [marfcec?,  /]. 

An  immediate  extension  that  is  very  effective  is  reachability  from  unary  predicates, 
as  defined  in  Eq.  (9).  Instantiating  all  possible  axioms  from  the  unary  predicates  appear¬ 
ing  in  the  formula  and  their  unary  reachability  predicates,  allows  us  to  prove  reverse.  For 
a  list  of  the  axioms  needed  to  prove  reverse,  see  Fig.  4.  Other  example  are  presented 
in  [12].  Finally,  we  consider  Boolean  combinations  of  the  above  colors.  Though  not 
used  in  the  examples  shown  in  this  paper,  this  is  needed,  for  example,  in  the  presence 
of  sharing  or  when  splicing  two  lists  together. 


NoExit[ra;',„,n'] 

GoOut[a;,  x',  n] 

NewStart 

n,  n'j 

NewStart  [r a;/ n',  n] 

NoExit[ra;',ri',n] 

GoOut[a;,  y,  n'] 

NewStart 

,  n,  n'  j 

NewStart  ,  n' ,  n] 

NoExit[ry_„,  n'] 

NewStart  [ry_„, 

n,  n'j 

NewStart[ry_„,  n',  n] 

NoExit[ry_„/,  n] 

NewStart[ry_„/, 

n,  n'j 

NewStart[ry_„/,  n',  n] 

Fig.  4.  The  instances  of  coloring  axioms  used  in  proving  reverse. 


All  the  colors  above  are  based  on  the  unary  predicates  that  appear  in  the  original 
formula.  To  prove  the  reverse  example,  we  needed  x'  as  part  of  the  initial  colors. 
Table  1  gives  a  heuristic  for  finding  the  initial  colors  we  need  in  cases  when  they  cannot 
be  deduced  from  the  formula,  and  how  it  applies  to  reverse 

An  interesting  observation  is  that  the  initial  colors  we  need  can,  in  many  cases,  be 
deduced  from  the  program  code.  As  in  the  previous  section,  we  have  a  good  way  for 
deducing  paths  between  colors  and  within  colors  in  which  the  edges  have  not  changed. 
The  program  usually  manipulates  fields  using  pointers,  and  can  traverse  an  edge  only  in 


one  direction.  Thus,  the  unary  predicates  that  represent  the  program  variables  (including 
the  temporary  variables)  are  in  many  cases  what  we  need  as  initial  colors. 


Group 

Criteria 

Roots  [f] 

All  changes  are  reachable  from  one  of  the  colors  using  /tc 

StartChange[f,g] 

All  edges  for  which  /  and  g  differ  start  from  a  node  in  these  colors 

EndChange[f,g] 

All  edges  for  which  /  and  g  differ  end  at  a  node  in  these  colors 

(a) 


Group 

Colors 

Group 

Colors 

Roots[n] 

x{v),  y{v) 

StartChange[n,  n'] 

x(v) 

Roots[n'] 

x'{v),  y'{v) 

EndChange[n,  n'] 

y{v),  x'(v) 

(b) 

Table  1.  (a)  Heuristic  for  choosing  initial  colors,  (b)  Results  of  applying  the  heuristic 
on  reverse. 


5.4  Exploring  the  Search  Space 


When  trying  to  automate  the  process  of  choosing  colors,  the  problem  is  that  the  set  of 
possible  colors  to  choose  from  is  doubly-exponential  in  the  number  of  initial  colors; 
giving  all  the  axioms  directly  to  the  theorem  prover  is  infeasible.  In  this  section,  we 
define  a  heuristic  algorithm  for  exploring  a  limited  number  of  axioms  in  a  directed  way. 
Pseudocode  for  this  algorithm  is  shown  in  Fig.  5.  The  operator  h  is  implemented  as  a 
call  to  a  theorem  prover. 


explore  (Init,  x)  { 

Let  X  =  ^  V 

E  ■-  {Trans[/],Order[/]  \  f  £  F} 
E-.=  EU{T,[f],T2[f]\f£F} 

C  :=  {rcj{v)  I  c  G  Init,  f  £  F} 

C  :=  C  LI  Init 
i  :=  1 

forever  { 

C'  :=  BC{i,  C) 
phasel  (C ,  E ,  Ip) 
phase!  (C' ,  E ,  pi) 
phase!  (E ,  ip) 
if  E  Alp  \-  if 

return  SUCCESS 


i  :=  i  +  1 

} 

} 


phasel  (C ,  E,  ip)  { 

f  oreach  f  £  F,  Cs  ^  Ce  £  C 
if  E  Alp\-  PQ^Q^^^[Cs,Ce,f] 

E  :=  E\J  {C'(j(,Out[cs>  Ce,  /]} 

} 

phase!  (C ,  E ,  ip)  { 
foreach  f  £  F,c  £  C 
if  TNoExit[c>/] 

r  :=  {CNnF,xit[c,  /]} 


phase!  (E ,  ip)  { 

foreach  ^NnExitb,  f]£  E,g  ^  f  £  F 
if  E  A  ip£  pNewStart [c.  /.  9] 

E  :=  ED  f,g]} 


Fig.  5.  An  iterative  algorithm  for  instantiating  the  axiom  schemes.  Each  iteration  con¬ 
sists  of  three  phases  that  augment  the  axiom  set  E 

Because  the  coloring  axioms  have  the  form  A  =  Pa  — >  Ca,  the  theorem  prover 
must  prove  Px  or  the  axiom  is  of  no  use.  Therefore,  the  pseudocode  works  iteratively, 
trying  to  prove  Pa  from  the  current  ip  A  E,  and  if  successful  it  adds  Ca  to  E. 

The  algorithm  tries  colors  in  increasing  levels  of  complexity.  BC{i,  C)  gives  all  the 
Boolean  combinations  of  the  predicates  in  C  up  to  size  i.  After  each  iteration  we  try  to 


prove  the  goal  formula.  Sometimes  we  need  the  conclusion  of  one  axiom  to  prove  the 
premise  of  another.  The  NoExit  axioms  are  particularly  useful  for  proving  ^’]\ewStart- 
Therefore,  we  need  a  way  to  order  instantiations  so  that  axioms  useful  for  proving  the 
premises  of  other  axioms  are  acquired  first.  The  ordering  we  chose  is  based  on  phases: 
First,  try  to  instantiate  axioms  from  the  axiom  scheme  GoOut.  Second,  try  to  instan¬ 
tiate  axioms  from  the  axiom  scheme  NoExit.  Finally,  try  to  instantiate  axioms  from 
the  axiom  scheme  NewStart.  For  NewStart[c,  /,  g]  to  be  useful,  we  need  to  be  able  to 
show  that  there  are  either  no  incoming  /  paths  or  no  outgoing  /  paths  from  c.  Thus, 
we  only  try  to  instantiate  such  an  axiom  when  either  ^NoExitl*"’  •^1  ^NoExit  K/] 
were  proven. 

5.5  Implementation 

The  algorithm  presented  here  was  implemented  using  a  Perl  script  and  the  Spass 
theorem  prover  [9]  and  used  successfully  to  verify  the  example  programs  of  Section  5.1. 

The  method  described  above  can  be  optimized.  For  instance,  if  Ca  has  already  been 
added  to  the  axioms,  we  do  not  try  to  prove  Pa  again.  These  details  are  important  in 
practice,  but  have  been  omitted  for  brevity. 

When  trying  to  prove  the  different  premises,  Spass  may  fail  to  terminate  if  the 
formula  that  it  is  trying  to  prove  is  invalid.  Thus,  we  limit  the  time  that  Spass  can 
spend  proving  each  formula.  It  is  possible  that  we  will  fail  to  acquire  useful  axioms  this 
way. 

6  Related  Work 

Shape  Analysis.  This  work  was  motivated  by  our  experience  with  TVLA  [4, 5],  which 
is  a  generic  system  for  abstract  interpretation  [13].  The  TVLA  system  is  more  auto¬ 
matic  than  the  methods  described  in  this  paper  since  it  does  not  rely  on  user-supplied 
loop  invariants.  However,  the  techniques  presented  in  the  present  paper  are  potentially 
more  precise  due  to  the  use  of  full  first-order  reasoning.  It  can  be  shown  that  the 
NoExit  scheme  allows  to  infer  reachability  at  least  as  precisely  as  evaluation  rules  for 
3- valued  logic  with  Kleene  semantics.  In  the  future,  we  hope  to  develop  an  efficient 
non-interactive  theorem  prover  that  enjoys  the  benefits  of  both  approaches.  An  interest¬ 
ing  observation  is  that  the  colors  needed  in  our  examples  to  prove  the  formula  are  the 
same  unary  predicates  used  by  TVLA  to  define  its  abstraction.  This  similarity  may,  in 
the  future,  help  us  find  better  ways  to  automatically  instantiate  the  required  axioms.  In 
particular,  inductive  logic  programming  has  recently  been  used  to  learn  formulas  to  use 
in  TVLA  abstractions  [14],  which  holds  out  the  possibility  of  applying  similar  methods 
to  further  automate  the  approach  of  the  present  paper. 

Decidable  Logics.  Decidable  logics  can  be  employed  to  define  properties  of  linked 
data  structures:  Weak  monadic  second-order  logic  has  been  used  in  [15,8]  to  define 
properties  of  heap-allocated  data  structures,  and  to  conduct  Hoare-style  verification  us¬ 
ing  programmer-supplied  loop  invariants  in  the  PALE  system  [8].  A  decidable  logic 
called  Lr  (for  “logic  of  reachability  expressions”)  was  defined  in  [16].  is  rich  enough 
to  express  the  shape  descriptors  studied  in  [17]  and  the  path  matrices  introduced  in  [18]. 

The  present  paper  does  not  develop  decision  procedures,  but  instead  suggests  meth¬ 
ods  that  can  be  used  in  conjunction  with  existing  theorem  provers.  Thus,  the  techniques 
are  incomplete  and  the  theorem  provers  need  not  terminate.  However,  our  initial  experi¬ 
ence  is  that  the  extra  flexibility  gained  by  the  use  of  first-order  logic  with  transitive  clo¬ 
sure  is  promising.  For  example,  we  can  prove  the  correctness  of  imperative  destructive 


list-reversal  specified  in  a  natural  way  and  the  correctness  of  mark  and  sweep  garbage 
collectors,  which  are  beyond  the  scope  of  Mona  and 

Indeed,  in  [19],  we  have  tried  to  simulate  existing  data  structures  using  decidable 
logics  and  realized  that  this  can  be  tricky  because  the  programmer  may  need  to  prove 
a  specific  simulation  invariant  for  a  given  program.  Giving  an  inaccurate  simulation 
invariant  causes  the  simulation  to  be  unsound.  One  of  the  advantages  of  the  technique 
described  in  the  present  paper  is  that  soundness  is  guaranteed  no  matter  which  axioms 
are  instantiated.  Moreover,  the  simulation  requirements  are  not  necessarily  expressible 
in  the  decidable  logic. 

Other  First-Order  Axiomatizations  of  Linked  Data  Structures.  The  closest  ap¬ 
proach  to  ours  that  we  are  aware  of  was  taken  by  Nelson  as  we  describe  in  the  full 
version  of  the  paper  [12].  This  also  has  some  follow-up  work  by  Leino  and  Joshi  [20]. 
Our  impression  from  their  write-up  is  that  Leino  and  Joshi’s  work  can  be  pushed  for¬ 
ward  by  using  our  coloring  axioms. 

Dynamic  Maintenance  of  Transitive  Closure.  Another  orthogonal  but  promising 
approach  to  transitive  closure  is  to  maintain  reachability  relations  incrementally  as  we 
make  unit  changes  in  the  data  structure.  It  is  known  that  in  many  cases,  reachability  can 
be  maintained  by  first-order  formulas  [21,22]  and  even  sometimes  by  quantifier- free 
formulas  [23].  Furthermore,  in  these  cases,  it  is  often  possible  to  automatically  derive 
the  first-order  update  predicates  using  finite  differencing  [24]. 

7  Conclusion 

This  paper  reports  on  our  initial  attempts  at  applying  the  methodology  that  has  been 
described;  hence,  only  preliminary  conclusions  can  be  drawn. 

As  mentioned  earlier,  proving  the  absence  of  paths  is  the  difficult  part  of  proving 
formulas  with  TC.  The  promise  of  the  approach  is  that  it  is  able  to  handle  such  formulas 
effectively  and  reasonably  automatically,  as  shown  by  the  fact  that  it  can  successfully 
handle  the  programs  described  in  Section  5  and  the  full  version  of  the  paper  [12].  Many 
issues  remain  for  further  work,  such  as, 

-  Establishing  whether  Ti[F]  plus  the  induction  scheme  is  complete  for  interesting 
subclasses  of  formulas  (e.g.  functional  graphs). 

-  Exploring  other  heuristics  for  identifying  color  classes. 

-  Exploring  variations  of  the  algorithm  given  in  Eig.  5  for  instantiating  coloring  ax¬ 
ioms. 

-  Exploring  the  use  of  additional  axiom  schemes,  such  as  two  of  the  schemes  from 
[10],  which  are  likely  to  be  useful  when  dealing  with  predicates  that  are  partial  func¬ 
tions.  Such  predicates  arise  in  programs  that  manipulate  singly-linked  or  doubly- 
linked  lists — or,  more  generally,  data  structures  that  are  acyclic  in  one  or  more 
“dimensions”  [25]  (i.e.,  in  which  the  iterated  application  of  a  given  field  selector 
can  never  return  to  a  previously  visited  node). 

Thanks  to  Aharon  Abadi  and  Roman  Manevich  for  interesting  suggestions. 
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